Technical Note: Issue with DKIM key record on FortiMail

mbernatek · ‎06-26-2015

Description

The DKIM key has to be generated on FortiMail and file with pre-configured DNS TXT record is made available for download. There is no way however to change any parameter for the DKIM key generation.

Example of downloaded file:

test._domainkey IN TXT ("t=y; k=rsa; p=" "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH83XJcrIv8PRDkmCDh0kq5SyCeo7U3UTsLEP
zjOxU/tHojPZ3av/5JNRGVwuEppzXUI0DE+q+qUgpiICXqbbdZpurVz9qPEfyikWpuDxeSmJb5ioUap4OenHOFEM+/UV42B7DCrytXgo+o5btV0sn0eoquR""VK4Hzuixw+uQTuzRlGnBqv0FbUgVBJwYSX9DZdlGjvvmJ
f93rZaLhnXzPVUc+PH5JndZkPi6ScM+ZYkaspcCXC5VY1+ZRd16HO1hSgyrE7ciLfiZ9T3oXsNu92
DLX22+oj+k0v5Io7t63IgpyKc3TI9hQL7oNy07MKdGrNRsDOMWgEBguvP1Qa+2QwIDAQAB")

Consult the Fortimail Admin Guide in the Fortinet Document Library for more information about DKIM configuration.

In some cases DNS TXT record does not work when inserted to DNS server. With some online validating tools errors for this DNS TXT record can be seen, for example “This is not a good DKIM key record”.

Solution

The maximum single string length of a TXT record is limited to 255 bytes. If the string of a TXT record is longer then the TXT record will not be valid.

As defined in RFC1035, a DNS TXT record can be composed of more than one string. FortiMail creates the DKIM key exactly in this way. The TXT record consists of several string parts enclosed in parenthesis, effectively making the TXT record longer than 255 bytes.

This is description in RFC 4408.

To fix the issue the proper configuration has to be done on DNS server side.

Technical Note: Issue with DKIM key record on FortiMail

You are leaving our website